b"                                              Report Number:\n                                             DoDIG-2012-142\n                                          September 28, 2012\n\n\n\n\nDEPUTY INSPECTOR GENERAL FOR INTELLIGENCE\n    AND SPECIAL PROGRAM ASSESSMENTS\n\n\n\n   Summary Report of FY 2011 Inspections on\n Security, Intelligence, Counterintelligence, and\nTechnology Protection Practices at DoD Research,\n  Development, Test, and Evaluation Facilities\n\n\n\n\n     FOR OFFICIAL USE ONLY\n\x0cAdditional Information and Copies\n\nFor information and to request copies of this summary, contact the DoD Office of\n                               (b)(6)             (b)(6)\nInspector General at (703) 882-       or DSN 381-        .\n\nSuggestions for Future Audits and Evaluations\nTo suggest ideas for, or to request future audits or evaluations, contact the Office of the\nDeputy Inspector General for Intelligence and Special Program Assessments at\n           (b)(6)            (b)(6)\n(703) 882-        (DSN 381-         ) or UNCLASSIFIED fax (571) 372-7451. Ideas and\nrequests can also be mailed to:\n\n                       ODIG-ISPA (ATTN: ISPA Suggestions)\n                       Department of Defense Inspector General\n                       4800 Mark Center Drive (Suite 10J25)\n                       Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nACAT                           Acquisition Category\nAFOSI                          Air Force Office of Special Investigations\nCPI                            Critical Program Information\nDoD CIO                        DoD Chief Information Officer\nDSS                            Defense Security Service\nIG                             Inspector General\nMDA                            Missile Defense Agency\nNCIS                           Naval Criminal Investigative Service\nOIG                            Office of Inspector General\nOPSEC                          Operations Security\nPM                             Program Manager\nRDA                            Research, Development, and Acquisition\nRDT&E                          Research, Development, Test, and Evaluation\nUSD(AT&L)                      Under Secretary of Defense for Acquisition, Technology,\n                                       and Logistics\nUSD(I)                         Under Secretary of Defense for Intelligence\n\n\n\n\n                              FOR OFFICIAL USE ONLY\n\x0c\x0cDISTRIBUTION:\n\nOFFICE OF THE SECRETARY OF DEFENSE\n  Under Secretary of Defense for Acquisition, Technology, and Logistics\n  Under Secretary of Defense for Policy\n  Under Secretary of Defense for Intelligence\n  DoD Chief Information Officer\n  Director, Defense Information Systems Agency\n  Director, Defense Security Service\n\nDEPARTMENT OF THE ARMY\n  Assistant Secretary of the Army for Acquisition, Logistics, and Technology\n  Commanding General, Army Materiel Command\n      G-2, Army Materiel Command\n  Deputy Chief of Staff, G-2\n  Inspector General, Department of the Army\n      Auditor General, Department of the Army Service\n\nDEPARTMENT OF THE NAVY\n  Assistant Secretary of the Navy for Research, Development, and Acquisition\n  Naval Criminal Investigative Service\n  Naval Inspector General\n  Auditor General of the Navy\n\nDEPARTMENT OF THE AIR FORCE\n  Assistant Secretary of the Air Force for Acquisition\n  Administrative Assistant to the Secretary of the Air Force\n  Inspector General, Department of the Air Force\n  Commander, Air Force Materiel Command\n  Commander, Air Force Office of Special Investigations\n  Auditor General of the Air Force\n\nCONGRESSIONAL COMMITTEES AND SUBCOMMITTEES, CHAIRMAN AND\n  RANKING\n  Senate Subcommittee on Defense, Committee on Appropriations\n  Senate Committee on Armed Services\n  Senate Select Committee on Intelligence\n  Senate Committee on Homeland Security and Governmental Affairs\n  House Committee on Armed Services\n  House Permanent Select Committee on Intelligence\n  House Committee on Oversight and Government Reform\n  House Subcommittee on Government Management, Organization, and\n     Procurement, Committee on Oversight and Government Reform\n  House Subcommittee on National Security and Foreign Affairs, Committee on\n     Oversight and Government Reform\n\n\n                            FOR OFFICIAL USE ONLY\n\x0cReport No. DoDIG-2012-142 (Project No. D2012-DINT01-0162.000)                 September 28, 2012\n\n               Results in Brief: Summary of FY 2011\n               Inspections on Security, Intelligence,\n               Counterintelligence, and Technology\n               Protection Practices at DoD Research,\n               Development, Test, and Evaluation Facilities\nWhat Was Done                                     Moreover, the level of training related to CPI\nThis summary is a compilation of inspection       protection varied, with some personnel with no\nresults from the DoD, Service, and Missile        training, others with training acquired on the job\nDefense Agency (MDA) Offices of Inspectors        and still others with training offered by the\nGeneral (OIG) and, where available, notes the     research, development, and acquisition (RDA)\nbest practices of each. The DoD OIG assessed      program support organization.\nan acquisition category 1D program; the Service\nIGs selected 34 of 118 research, development,     Resources. DoD OIG\xe2\x80\x99s assessment found no\ntest, and evaluation (RDT&E) facilities under     embedded program security support. The\ntheir purview for inspection; and the MDA         program management office did not track all\nlooked at the effectiveness of their critical     security costs nor did they report program\nprogram information (CPI) identification and      protection or security-related expenditures, in\nprogram protection planning efforts, as well as   order to establish budget projections for security\ntheir international security program. These       throughout the program\xe2\x80\x99s life-cycle and with\ninspections ensure a uniform system of periodic   measuring the return on the security\nreviews for compliance with directives            expenditures.\nconcerning security, intelligence,\ncounterintelligence, and technology protection    Security and Other Support. Although\npractices. The OIGs used the biennial             program staff requested and were provided\ninspection guidelines that focus on eight key     intelligence support, it was not timely nor\nissue areas related to program protection.        tailored to CPI, adversely affecting the PM\xe2\x80\x99s\n                                                  ability to implement an effective program\nWhat Was Found                                    protection plan. Service findings ranged from\nIdentifying CPI. Generally, an effective          PMs not using counterintelligence assets\nprocess for identifying CPI was found, with       correctly to counterintelligence assets being\nsome having a standardized process for            spread thin due to deployments and ad-hoc\nidentifying CPI. However, 5 of the 35 sites       tasking.\ninspected did not adequately identify specific\nCPI.                                              Foreign Visitor Program. No major issues\n                                                  were noted with the effectiveness of the\nProgram Protection Planning. Efforts to           programs inspected. MDA was using the\nprotect CPI are not integrated and synchronized   Foreign Visits System \xe2\x80\x93 Confirmation Module.\nto the greatest extent possible. In some\ninstances, program protection plans were not      Horizontal Protection. Data from an Air Force\ncompleted and could not be assessed. However,     program was on a separate horizontal protection\nin general CPI was incorporated into program      database, but recent guidance will allow Air\nprotection plans.                                 Force to use the Acquisition Security Database.\n\nTraining and Education. Training for the          CPI Policies. While DoD and Service policies\nprotection of CPI was not tailored for            to protect CPI have progressed in recent years,\nintelligence and security personnel; and some     there is still a need for improvement.\npersonnel were not qualified to do the job.\n                                                i USE ONLY\n                                      FOR OFFICIAL\n\x0cTable of Contents\nIntroduction                                                                     1\n\n   Scope and Methodology                                                         1\n\n   Background                                                                    1\n\nIssue Areas for Assessment and Inspection\n\n   Critical Program Information (CPI) Identification and Criticality Analysis   2\n\n   Program Protection Planning                                                   4\n\n   Training and Education to Protect Critical Program Information, Critical\n        Functionality, and Critical Components                                   6\n\n   Use of Resources/Billets to Protect Critical Program Information, Critical\n       Functionality, and Critical Components                                    7\n\n   Security, Intelligence, and Counterintelligence Support to Protect\n       Critical Program Information, Critical Functionality, and\n       Critical Components                                                       9\n\n   Foreign Visits Program                                                       12\n\n   Horizontal Protection of Critical Program Information, Critical\n       Functionality, and Critical Components                                   14\n\n   Policies to Protect Critical Program Information, Critical\n        Functionality, and Critical Components                                  16\n\nAppendices\n\n   A. Memorandum of Understanding                                               18\n\n   B. List of Service Facilities Inspected                                      22\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n\x0cIntroduction\nIn accordance with DoD Instruction 5200.39, \xe2\x80\x9cCritical Program Information (CPI)\nProtection Within the Department of Defense,\xe2\x80\x9d July 16, 2008, Enclosure 2, paragraph 5,\nthis report consolidates the assessment and inspection results of participating Inspectors\nGeneral (IGs) who inspect technology protection, security, intelligence, and\ncounterintelligence practices at RDT&E facilities.\n\nScope and Methodology\nThis summary covers inspections of security, intelligence, counterintelligence, and\ntechnology protection, activities at DoD RDT&E facilities conducted by or at the\ndirection of the participating IGs, as outlined in Appendix A. It also includes the results\nof the second in a series of three reports by the DoD OIG, 1 Report No. 11-INTEL-08,\n\xe2\x80\x9cDoD Efforts to Protect Critical Program Information: The Air Force\xe2\x80\x99s Family of\nAdvanced Beyond Line-of-Sight Terminals,\xe2\x80\x9d April 15, 2011.\n\nThe DoD OIG consolidates and distributes the lists of major RDT&E facilities to the\nparticipating IGs, the Assistant Secretary of Defense for Research and Engineering, and\nthe Director, Defense Test Resource Management Center. The Assistant Secretary of\nDefense for Research and Engineering and the Director, Defense Test Resource\nManagement Center, may recommend additional Defense agency facilities for inspection.\nThe participating IGs select from their respective lists those facilities that will be\ninspected and forward the selections to the DoD OIG, as outlined in Appendix B.\n\nThe inspections were performed during the course of the inspection programs of the\nparticipating IGs, to include, in the case of military IGs, the inspection programs of their\nsubordinate IGs. To ensure uniformity and consistency of inspections, the DoD OIG\nbiennially issues guidelines for DoD IGs. The participating IGs coordinate modifications\nor customizations of the inspection guidelines. The participating IGs conducting or\ndirecting inspections ensure that inspection findings and recommendations are addressed\nand implemented.\n\nThe participating IGs use their own procedures to write findings and recommendations\nwithin their respective areas of responsibility. The participating IGs prepare and forward\nany significant findings and recommendations, upon the conclusion of each inspection to\nthe DoD OIG and the DoD OIG produces this summary. The DoD OIG did not review or\nverify the information provided.\n\nBackground\nIn 2010, the DoD OIG published the latest biennial version of inspection guidelines for\nuse by IGs and other oversight practitioners to enhance the protection of CPI. Different\nfrom previous years, the guidelines are tailored to focus on the eight key issue areas that\nassist in determining the effectiveness to protect CPI.\n\n\n\n\n1\n  The Office of the Deputy Inspector General for Intelligence and Special Program Assessments is the\nOffice of Primary Responsibility within the DoD OIG for matters relating to inspections of RDT&E\nfacilities.\n\n                                  FOR OFFICIAL USE ONLY\n                                            1\n\x0cThe inspection guidelines were developed to provide consistency across the Department\nwhen assessing security, intelligence, and counterintelligence support to RDA protection\nefforts aimed at protecting CPI. The guidelines focus on eight key issue areas that assist\nin determining the effectiveness to protect CPI. The eight key issue areas for inspections\n(with additions to this iteration highlighted) to address are:\n\n   1. CPI identification and criticality analysis;\n   2. program protection planning;\n   3. training and education to protect CPI, critical functionality, and critical\n      components;\n   4. use of resources/billets to protect CPI, critical functionality, and critical\n      components;;\n   5. security, intelligence, and counterintelligence support to protect CPI, critical\n      functionality, and critical components;\n   6. foreign visits program;\n   7. horizontal protection of CPI, critical functionality, and\n      critical components; and\n   8. policies to protect CPI, critical functionality, and critical components.\n\nSuccess in each of the eight key issue areas leads to enhanced counterintelligence,\nintelligence, and security support to RDT&E facilities and the acquisition process.\nFocusing the annual inspections on these eight key areas provides a better ability to\nidentify trends and systemic issues.\n\nThe office of the USD(AT&L), provided a chart depicting the vast amounts of policy\nrelated to RDA protection. The chart found at the link below, organizes acquisition\nsecurity policies and guidance by purpose and 23 offices of responsibility. The chart\nshows the 145 policies that an acquisition program may need to comply with.\nhttp://www.acq.osd.mil/se/docs/acq-security-policy-tool/index.html.\n\n1. Critical Program Information (CPI) Identification and\nCriticality Analysis\nThis issue area was assessed to determine whether published guidance for the\nidentification of CPI is relevant and adhered to by program, security, intelligence, and\ncounterintelligence personnel. We also sought to determine whether there was a\nworking-level integrated product team to assist with and collaborate on the identification\nof CPI. If so, we wanted to assess how the mission, composition, and effectiveness of the\nworking-level integrated product team contributed to the identification of CPI and\nwhether the working-level integrated product team performed a functional decomposition\nof the program or system.\n\nDoD Office of Inspector General\nIn the case study of the acquisition category (ACAT) ID Air Force program, the program\noffice staff had an effective process for identifying CPI and an integrated product team\ncomprised of systems engineering, information assurance, engineering management,\nbusiness management, software engineering experts, and the Air Force Office of Special\nInvestigations (AFOSI). Security, counterintelligence, intelligence, and user\nrepresentatives served in an advisory capacity. The Air Force program successfully used\na cross-discipline integrated product team that included systems engineers in accordance\nwith the DoD Instruction 5200.39 requirement for cross-discipline teams.\n\n\n                             FOR OFFICIAL USE ONLY\n                                       2\n\x0cOffice of the Army Inspector General\nThe Office of the Army IG had no significant findings in this issue area.\n\nOffice of the Naval Inspector General\nCommands inspected had a standardized process for identifying CPI in accordance with\ngoverning instructions; and anti-tampering procedures were instituted where applicable.\n\nOffice of the Air Force Inspector General\nOf the twenty-two inspected, five of six Center\xe2\x80\x99s PMs did not adequately identify specific\nCPI. PMs identified operations security information as CPI. PMs also identified broad\nCPI categories without proper drill down to identify CPI. The Air Force IG\nrecommended that programs conduct more in-depth training and that PMs conduct full\nsystem decomposition of programs and work with associated programs to identify CPI\nand inherited CPI, and include support contractors in CPI protection efforts. One agency\ndid not coordinate with owning sub-system program offices to obtain program protection\nplans so they could identify inherited CPI and associated countermeasures.\n\nMissile Defense Agency (MDA)\nMDA reviewed steps taken during the CPI assessment phase for one program. The\nprogram was selected because it was the first to execute the CPI assessment phase\nfollowing issuance of MDA\xe2\x80\x99s new instruction, MDA Instruction 5200.08-INS, \xe2\x80\x9cCritical\nProgram Information Protection Within the Missile Defense Agency,\xe2\x80\x9d August 1, 2011,\nand draft CPI protection manual. Specifically, MDA identified and surveyed members of\nthe integrated product team, determined if immediate countermeasures were identified,\nand determined if MDA 5200.08-INS and the MDA CPI protection manual were\nfollowed. The program used the following in identifying and protecting CPI during the\nCPI assessment phase:\n\n   \xe2\x80\xa2   The program\xe2\x80\x99s integrated product team had a diverse workgroup to represent the\n       key areas involved during the CPI/program protection planning process including\n       acquisition, engineering, security, intelligence, and counterintelligence personnel.\n   \xe2\x80\xa2   The functional decomposition list, which breaks down the entire program into\n       smaller more tangible segments, included the areas evaluated for CPI and\n       indentified sources and references.\n   \xe2\x80\xa2   The integrated product team identified broad immediate countermeasures after the\n       identification of candidate CPI.\n   \xe2\x80\xa2   The Director for Engineering appropriately chaired and initiated the Acquisition\n       Program Protection Panel to review and approve the candidate CPI, and signed\n       the CPI assessment memorandum prepared in accordance with MDA guidance.\n   \xe2\x80\xa2   Based on the identification of CPI, a program protection plan was drafted. The\n       program protection plan is treated as a living document and is updated on a\n       continuous/as needed basis until approved, and the program office is awaiting the\n       multidisciplinary counterintelligence threat assessment from the\n       counterintelligence personnel before moving forward with program protection\n       plan approval.\n   \xe2\x80\xa2   The program\xe2\x80\x99s security classification guide was initiated and included CPI\n       protection information and they are awaiting the multidisciplinary\n       counterintelligence threat assessment from the counterintelligence personnel\n       before finalizing the draft security classification guide.\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       3\n\x0c2. Program Protection Planning\nThis issue area was assessed to determine whether published guidance for the planning of\nprogram protection is relevant and adhered to by program, intelligence, counter-\nintelligence, and security personnel and to ensure that program protection planning was\nin accordance with DoD Instruction 5200.39 and corresponding Service policy.\n\nDoD Office of Inspector General\nBecause the Air Force ACAT ID program office had not completed its program\nprotection plan; we were unable to assess the plan\xe2\x80\x99s effectiveness. The program was\ntaking the steps to formally notify the prime contractor, second-tier integrator, and\nrelevant subcontractors of the potential existence of CPI, and had plans to direct\nappropriate protection measures. However, Defense Security Service (DSS) personnel\nwere not informed that program CPI resided within the prime contractors\xe2\x80\x99 and\nsubcontractors\xe2\x80\x99 facilities. One reason was that the presence of CPI was not identified in\nthe DD Form 254. Program management offices should notify the DSS office covering\ncleared contractor facilities holding CPI of the CPI presence, nature, and any special\nconcerns (unique compromising characteristics). Publishing guidance that provides\nmodel contract language would make it easier for programs to contract for CPI\nprotection. Program management offices should:\n\n   \xe2\x80\xa2   provide the DSS with the program protection plan and the program office\xe2\x80\x99s\n       specific requirements for the cleared contractor and the related documents for the\n       protection of CPI, a list of the related counterintelligence and security risks to the\n       contractor, and a copy of the relevant counterintelligence support plan;\n   \xe2\x80\xa2   ensure that contracts require the prime contractor to participate in the\n       identification of CPI and to implement countermeasures for identified CPI at\n       contractor facilities;\n   \xe2\x80\xa2   ensure contracts and DD Forms 254 include clauses authorizing certain\n       Government personnel access to prime contractor and subcontractor facilities to\n       conduct surveys, assessments, inspections, and investigations as necessary to\n       make sure CPI is properly protected; and\n   \xe2\x80\xa2   include language in contracts that the prime contractor must:\n           o communicate program protection requirements to subcontractors that will\n               have access to or will be providing CPI,\n           o require subcontractors to continually monitor protection measures, and\n           o monitor the subcontractors\xe2\x80\x99 performance monitoring.\n\nOnce the program protection plan is complete, the PM should fully implement\ncountermeasures articulated in the program protection plan, meeting specific milestone\ndates for their implementation; develop a tracking system for monitoring the\nimplementation of the countermeasures; conduct site visits to assess the contractor\xe2\x80\x99s\nimplementation of the countermeasures; and use the results of the site visits to evaluate\nthe effectiveness of the countermeasures. The PM should also require the contractor to\nprepare a program protection implementation plan to inform the program management\noffice how the contractor intends to protect CPI and implement the countermeasures\narticulated in the program protection plan.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       4\n\x0cGuidance was not developed that specifically addressed the protection requirements for\nCPI that resides on contractor-owned and -operated information systems. The DoD Chief\nInformation Officer, in coordination with the USD(AT&L) and the Under Secretary of\nDefense for Intelligence (USD(I)) agreed to our recommendation to develop and publish\nsecurity requirements for contractors processing CPI on contractor-owned and -controlled\ninformation systems; to which they concurred and initiated a Defense Federal Acquisition\nRegulation System case in March 2011.\n\nThe program staff requested and was provided the required counterintelligence and\nintelligence support and threat-related data. However, the threat data was not timely,\naffecting the PM\xe2\x80\x99s ability to formulate and implement an effective program protection\nplan. Furthermore, the threat data was not tailored to the CPI, decreasing the utility for\nprogram staff. The modular approach of the Virtual System Threat Assessment Report\nmay offer a more streamlined process for creating and updating System Threat\nAssessment Reports.\n\nOffice of the Army Inspector General\nIdentified CPI was incorporated into program protection plans at all facilities inspected in\n2011.\n\nOffice of the Naval Inspector General\nIn general, Navy PMs are trained on program protection planning processes for\nprotecting CPI and on overall DoD and Navy acquisition security requirements. CPI\nelements were identified and incorporated into a program protection plan. Ability to\ncorrectly identify CPI elements at other facilities remains under examination as of this\nreport. In addition, security personnel were working closely with other competencies to\nprotect CPI through anti-tamper and CPI protection contract clauses. Specific attention\nand support is being provided to the Science and Technology office in order to build\nprogram protection plans into small business and rapid development contracts.\n\nOffice of the Air Force Inspector General\nDuring the Office of the Air Force IG\xe2\x80\x99s inspection, two unit PMs did not seek milestone\ndecision authority or commensurate execution authority approval in writing affirming\nthat a program protection plan was not required due to the absence of CPI associated with\ntheir program\xe2\x80\x99s technologies. A system PM did develop and implement a program\nprotection plan with cooperation from staff elements (i.e., security, foreign disclosure,\ncounterintelligence, intelligence, modification managers, systems engineering, test and\nevaluation, technical staff and others) external to the program. As a result, one unit has\naccomplished a program protection plan waiver to document \xe2\x80\x9cNo CPI\xe2\x80\x9d determinations\nand the other is developing a program protection plan waiver to document its \xe2\x80\x9cNo CPI\xe2\x80\x9d\ndetermination.\n\nMissile Defense Agency\nMDA\xe2\x80\x99s internal audit of their CPI/program protection plan procedures determined they\nwere appropriate and complied with both DoD and MDA policies to prevent the\nunauthorized disclosure of critical information. MDA limited the scope to the first phase\nof the program protection process\xe2\x80\x94the CPI assessment phase\xe2\x80\x94since only one MDA\nprogram had initiated the new process and had not begun the other phase. MDA\ndetermined the control and oversight for the CPI Assessment phase was adequate to\nprotect CPI within MDA and horizontally across DoD and comply with applicable DoD\nand MDA guidance and instructions.\n\n                              FOR OFFICIAL USE ONLY\n                                        5\n\x0cMDA\xe2\x80\x99s Research, Development and Acquisition Security Directorate recognized the\nneed for CPI reassessments and proactively prioritized needed program protection plan\nassessments. Based on reviews for currency and appropriate approvals, MDA identified\nthree of seven program protection plans were not completed and approved - two are\nalready undergoing a reassessment review and the third, MDA is seeking the appropriate\ndisposition.\n\n3. Training and Education to Protect Critical Program\nInformation, Critical Functionality, and Critical\nComponents\nThis issue area was assessed to determine whether published guidance for training to\nidentify and protect CPI is relevant and adhered to by program, intelligence,\ncounterintelligence, and security personnel.\n\nDoD Office of Inspector General\nWe determined that training and education for the protection of CPI was not tailored to\nthe specific roles that are involved in RDA protection. While the amount of experience\nvaried, the majority of the personnel interviewed about Air Force and the ACAT ID\nprogram CPI protection efforts had many years of experience on major weapon system\nacquisition programs. However, the level of training related to CPI protection varied.\nThere were personnel with no training, those with training acquired on the job, and others\nwith training offered by the RDA program support organization.\n\nAvailable training varied significantly. The level 1 and 2 acquisition courses at the\nDefense Acquisition University minimally address counterintelligence, intelligence, and\nsecurity support to RDA protection. Training did not entail a review of the program\nprotection process, including CPI assessment and the generation of the technology and\nprotection plans. The Joint Counterintelligence Training Academy offers counter-\nintelligence support to RDA protection training and provides advanced counter-\nintelligence training to Defense counterintelligence components. The Academy also\nprovides training to other intelligence community personnel on a limited basis. However,\nthe counterintelligence support to RDA protection training is not structured for non-\ncounterintelligence personnel, who typically provide a large share of the RDA protection\nsupport to PMs.\n\nIn April 2011, the Defense Security Service created an \xe2\x80\x9cIntroduction to Critical Program\nInformation\xe2\x80\x9d course, an introductory, web-based course for DoD or Defense Industrial\npersonnel working on programs which may contain CPI. The training covers the purpose\nand identification process of CPI, including an explanation of how CPI identification and\nrequired continuous security protection procedures fit into the Defense acquisition life\ncycle. The course provides policy guidance, steps taken to identify CPI (threat\nassessment, vulnerabilities, risk management), required procedures to support CPI, and a\nreview of the program protection plan and countermeasure requirements.\n\nThere was no tailored CPI protection training. In fact, intelligence and security-related\ntraining for the protection of CPI is inconsistent. Training tailored to participants\xe2\x80\x99 roles\nneeds to be developed and made available by the organization most able to deliver it\neffectively and efficiently. Research, development, and acquisition program support\norganizations, the Defense Acquisition University, and the Defense Security Service\nshould be considered as delivery mechanisms for training.\n\n\n                              FOR OFFICIAL USE ONLY\n                                        6\n\x0cWe recommended that the USD(AT&L), in collaboration with the USD(I), and the DoD\nChief Information Officer develop standardized guidance for training in CPI protection\nfor use by the RDA protection community; to which they concurred.\n\nOffice of the Army Inspector General\nOperations Security (OPSEC) training was occurring in all facilities inspected, however,\nemployee knowledge of Essential Elements of Friendly Information could be better.\nMost facilities had their Essential Elements of Friendly Information posted in common\nareas and also in office cubicles, so knowledge improved over previous years. All\nOPSEC Officers inspected had attended required training classes.\n\nOffice of the Naval Inspector General\nMany CPI protection countermeasures identified in the DoD IG guidelines are beyond the\nskill set of security specialist inspectors and reflect a requirement for acquisition manager\nexpertise to credibly inspect.\n\nOverall, the programs inspected are properly staffed and the personnel are adequately\ntrained. The security programs are robust, required training is conducted during New\nEmployee Orientation, internal training resources are highlighted, and security awareness\nbulletins are posted on the SharePoint portal on a periodic basis. An internal OPSEC\ntraining module is provided that satisfies annual training requirements, and gives\nguidance on OPSEC policies and practices, including social media awareness.\n\nOne item worth mentioning is the user-friendly and helpful Space and Naval Warfare\nSystems Command Web 2.0, which is the internal web page that includes security blogs,\neducational wikis, and, other information, the latest in CPI policy and strategy. Also, it\nprovides personnel with automated tools to complete various levels of security education\nrequirements and its OPSEC Observer is an excellent initial reference resource for CPI\nand export controls.\n\nOffice of the Air Force Inspector General\nIn the area of training and education to protect CPI, three units failed to implement\nspecific training programs. Therefore, personnel were not informed on the efforts,\nprocedures and methods of protection. Development of a training plan was\nrecommended.\n\nMissile Defense Agency\nMDA\xe2\x80\x99s Research, Development and Acquisition Security Directorate developed helpful\nand creative CPI training for MDA programs going through Phase 1-- CPI Assessment.\nThe Directorate plans to provide additional training when programs get to the next phase\nof the CPI process. The Directorate also provided a virtual toolbox to further educate and\ntrain responsible personnel in the identification and protection of CPI.\n\n4. Use of Resources/Billets to Protect Critical Program\nInformation, Critical Functionality, and Critical\nComponents\nThis issue area was assessed to determine whether program, intelligence, counter-\nintelligence, and security personnel assigned to protect CPI are appropriately used.\n\n\n                              FOR OFFICIAL USE ONLY\n                                        7\n\x0cDoD Office of Inspector General\nThe Air Force ACAT ID program did not have embedded program security support. The\nprogram received security support from a Wing, which in addition to the ACAT ID\nprogram supported at least 14 other programs.\n\nThe program management office did not track all security costs. The draft program\nprotection plan included estimated costs for program protection in the following\ncategories: Systems Security Engineering, Information Security Program Management,\nand Security Management/Oversight. However, the program protection plan stated,\n\xe2\x80\x9cprogram protection costs associated with these categories are predominantly embedded\ncosts as no program protection-specific work breakdown structures were established at\ncontract award.\xe2\x80\x9d Further, costs related to Systems Security Engineering, to include\nprogram personnel, are considered embedded costs and these costs cannot be easily\nidentified or captured for estimating purposes.\n\nInterviews of Air Force Office of Special Investigations (AFOSI) personnel noted a level\nof uncertainty about who has access to the CPI, as well as the method and timing for\nwhen they should be notified of such access. The interviews also noted uncertainty\nregarding processes for identifying the presence of CPI and controlling access to CPI;\nspecifically, who can or should be informed. Additionally, AFOSI production of tailored\nthreat products was being impacted by lack of resources, as well as the level of technical\ncompetencies of the analysts. The AFOSI analysts at the Integrated Threat Assessment\nCell lacked engineering competencies that would assist in the analysis of science and\ntechnology matters. These analyst\xe2\x80\x99s backgrounds were primarily in the\ncounterintelligence arena. Also, wartime levies on AFOSI personnel stretched thin the\nnumbers of agents and their levels of RDA protection experience.\n\nThe DSS is responsible for approximately 13,000 cleared facilities. According to the\nDSS, there is a sizable deficit of industrial security representatives to cover cleared\nfacilities as well as counterintelligence personnel to provide support to the protection of\nCPI in cleared companies. On January 15, 2009, the Deputy Secretary of Defense signed\na memorandum directing that the resources necessary to implement recommendations\nfrom a 2008 Defense Security Service Future Options Study be added to the Defense\nSecurity Service program for FYs 2010-15.\n\nThese resources include 450 civilian full-time equivalents to strengthen the Defense\nSecurity Service and allow it to more effectively accomplish its mission: industrial\nsecurity, education and training, counterintelligence, and information technology.\nAlthough the number of counterintelligence personnel supporting the CPI threat\nassessment process is increasing, the ratio is still approximately 1 counterintelligence\nagent to 300-400 cleared defense facilities.\n\nThe Air Force ACAT ID program did not fully track security costs, nor did they report\nprogram protection or security-related expenditures. Tracking and reporting these\nexpenditures assists program management offices with establishing budget projections\nfor security throughout the program\xe2\x80\x99s life-cycle and with measuring the return on the\nsecurity expenditures.\n\n\n\n\n                              FOR OFFICIAL USE ONLY\n                                        8\n\x0cIn DoD IG Report No. 10-INTEL-09, \xe2\x80\x9cAssessment of Security Within the Department of\nDefense \xe2\x80\x93 Tracking and Measuring Security Costs,\xe2\x80\x9d August 6, 2010, we recommended a\ncomprehensive and integrated security framework to facilitate tracking security costs,\nmore accurately programming future years security budgets, and examining the return on\ninvestment for security expenditures, to which management concurred and draft DoD\nDirective 5200.LL, \xe2\x80\x9cManagement of the Defense Security Enterprise,\xe2\x80\x9d is expected to be\nsigned by the Deputy Secretary of Defense in third quarter 2012.\n\nAlso, the newly created Defense Security Enterprise Executive Committee, which was\ncreated by the draft directive, was established and held its inaugural meeting on\nJanuary 12, 2012. At that meeting security costs were discussed and the Executive\nCommittee is currently researching additional information and guidance for identifying\nand tracking security costs. Both the Directive and the and the Defense Security\nEnterprise Executive Committee will begin the process of establishing a comprehensive\nand integrated security framework for the Department, to include developing DoD\nsecurity cost factors to better track security costs, more accurately program future years\nsecurity budgets, and examine the return on investment for security expenditures.\n\nOffice of the Army Inspector General\nThe Office of the Army IG did not note any significant findings in this area this year.\n\nOffice of the Naval Inspector General\nThe Office of the Naval IG did not note any significant findings in this area.\n\nOffice of the Air Force Inspector General\nThe Office of the Air Force IG did not inspect this area.\n\nMissile Defense Agency\nThe Missile Defense Agency\xe2\x80\x99s auditors did not note any significant findings in this area.\n\n5. Security, Intelligence, and Counterintelligence\nSupport to Protect Critical Program Information, Critical\nFunctionality, and Critical Components\nThis issue area was assessed to determine whether published guidance to enable\ncounterintelligence, intelligence, and security personnel and programs to support the\nprotection of CPI is relevant and adhered to by program, intelligence, counterintelligence,\nand security personnel.\n\nDoD Office of Inspector General\nThe Air Force ACAT ID program staff did request and were provided requisite\ncounterintelligence and intelligence support and threat-related data. However, because\nthreat data was neither timely nor tailored to the CPI, it adversely affected the PM\xe2\x80\x99s\nability to formulate and implement an effective program protection plan. Moreover,\nwhile counterintelligence personnel were known to program staff, DSS personnel were\nnot. As a result, the DSS was not informed of the existence of CPI, nor was a program\noffice point of contact for reporting violations annotated on the DD Form 254.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       9\n\x0cCounterintelligence support personnel were known to program management office\npersonnel, participated in the CPI identification process, and prepared a\ncounterintelligence support plan. The counterintelligence support plan contained\nsufficient detail for program management office personnel to understand the support that\nthey could expect to receive from counterintelligence support personnel. Additionally, in\naccordance with the counterintelligence support plan, an integrated threat assessment was\nrequested from AFOSI\xe2\x80\x99s Integrated Threat Assessment Cell. Program protection\noversight personnel expressed concern that intelligence and counterintelligence threat\nproducts were not timely, thereby adversely impacting the PM\xe2\x80\x99s ability to formulate and\nimplement an effective program protection plan once CPI was identified.\n\nDoD and Air Force policies require the PM to immediately develop a program protection\nplan. The program protection plan guides the development of enhanced controls and\nestablishes cost effective countermeasures for the protection of CPI based on the existing\nthreat. Intelligence and counterintelligence threat products inform the formulation of\nprogram protection plans and allow the PM to make informed, objective, risk-based\ndecisions resulting in the most cost-effective countermeasures for the protection of CPI.\nThe production of threat products may take up to 180 days or more from the time CPI is\nidentified. However, DoD Manual 5200.1-M, paragraph C2.4.2 states that the DoD goal\nfor the return of a complete multidisciplinary counterintelligence threat assessment is 120\ndays from receipt of the request. Moreover, paragraph C2.4.3 states that to facilitate the\npreparation of an initial draft program protection plan, a summarized collection threat\nassessment should be provided to the program within 30 days of the request.\n\nThreat products were taking in excess of 180 days from when they initiated their\nproduction process to the development of their integrated threat assessment product. The\nintegrated threat assessment was an alternative to the DoD Manual 5000.1-M mandated\nmultidisciplinary counterintelligence threat assessment, which is required to be a CPI-\ncentric tailored threat assessment. The integrated threat assessments that were reviewed\nwere not CPI-focused tailored threat assessments; nor did program officials believe the\nproduct was particularly useful.\n\nThe System Threat Assessment Report is a DoD 5000 series mandated intelligence\nproduct that must be reviewed by the Milestone Decision Authority at milestones B and\nC. The System Threat Assessment Report describes the future operational threat\nenvironment, the system-specific threat, and any reactive threats that could affect\nprogram decisions. The System Threat Assessment Report also addresses CPI in the\nsubject weapons platform, but from a perspective of the threat at the time of fielding and\nin the battlespace. In response to the request from the program and in an attempt to\ndeliver a more timely and relevant System Threat Assessment Report, the National Air\nand Space Intelligence Center recently used an innovative approach called the Virtual\nSystem Threat Assessment Report to produce a responsive intelligence product. The\nprogram\xe2\x80\x99s System Threat Assessment Report evolved from a series of Virtual System\nThreat Assessment Reports, a new methodology for building threat assessments for Air\nForce and Air Force-led force modernization programs.\n\nThe Virtual System Threat Assessment Report supplements the traditional paper System\nThreat Assessment Report with a modular, online product that is more up-to-date, easier\nto maintain, and more efficient to produce. The Virtual System Threat Assessment\nReport significantly expands the use of hyperlinks to provide the user with direct access\nto Intelligence Community reporting and databases for details on specific threat systems.\nAlthough the threat annexes in Appendix B of the System Threat Assessment Report are\ncurrent, the online version will be continuously updated and provide a more general\nassessment of the overall threats.\n                             FOR OFFICIAL USE ONLY\n                                       10\n\x0cThe improved methodology resulted in a better crafted and more focused product for the\nprogram. However, as with the integrated threat assessment, program personnel believed\nthe System Threat Assessment Report was not provided in a timely manner. They\nbelieved the milestone decision point was too late in the process for the System Threat\nAssessment Report to effectively inform program decisions; having the impact later may\nmean re-doing or re-thinking the design. Delayed receipt of the System Threat\nAssessment Report could have impacted cost, schedule, and performance of the\nacquisition program resulting in re-programming if the delayed report had revealed\nintelligence information, unknown at the time the acquisition plan was formulated, which\ncould have negatively impacted systems capabilities.\n\nIn accordance with DoD Instruction 5200.39, the DSS assists DoD counterintelligence\nelements in coordinating the execution of counterintelligence support plans at the\nfacilities of cleared defense contractors with classified CPI. The contract\xe2\x80\x99s DD Form\n254, which includes security requirements and classification guidance for facilities with\nclassified contracts, should indicate the existence of CPI so that the DSS will know what\nareas need enhanced levels of protection.\n\nThe DD Form 254 also needs to identify cleared defense contractors working on\nclassified contracts with classified or unclassified CPI, as well as employees with access\nto the locations where classified contracts with classified or unclassified CPI reside. The\nDSS is developing procedures to centralize the receipt, analysis, and dissemination of\nsuch information in a manner that permits maximum control and use. Defense PMs must\nfurnish the DSS with a copy of the program protection plan and counterintelligence\nsupport plan to adequately provide overlapping counterintelligence support to protect\nCPI. In addition, the identification of all subcontractors working on classified programs\nwith classified or unclassified CPI as well as a program point of contact would further\nimprove the protection of CPI.\n\nSpecific to the program, there was insufficient communication between the DSS and the\nprime contractor regarding subcontractors and the requirements established by program\noffice staff for the protection of CPI. While program CPI is unclassified, it resides in a\nclassified facility and the information still requires a greater level of protection than non-\ncritical program information. The DSS was not informed of the existence of program\nCPI. It was not indicated in the DD Form 254, and there was no communication between\nthe DSS and program office staff. Moreover, there was no place on the DD Form 254 to\nidentify which subcontractors possessed CPI. If the program\xe2\x80\x99s DD Form 254 had\nspecified the existence of unclassified CPI and the requisite protection measures, the DSS\ncould have incorporated CPI protection requirements into its facility inspections. The\nDD Form 254 could also have included a program point of contact for reporting\nviolations and counterintelligence concerns. With this information, DSS could have\nassisted in efforts to safeguard CPI by reviewing the levels of CPI protection during the\ncourse of regular inspections of the cleared defense facility.\n\nOffice of the Army Inspector General\nThe Office of the Army IG noted that counterintelligence support, provided by elements\nof the 902nd Military Intelligence Brigade, is being stretched thin due to deployments and\na high operational tempo for 902nd counterintelligence agents. The inspected facilities all\nreported that they received outstanding support from the 902nd Military Intelligence\nBrigade, but their supporting office was short-handed due to deployments and support\nwas more \xe2\x80\x9con-call\xe2\x80\x9d than in previous years.\n\n\n                              FOR OFFICIAL USE ONLY\n                                        11\n\x0cOffice of the Naval Inspector General\nAt one headquarters, there is dedicated and sufficient counterintelligence support\nconsisting of four Naval Criminal Investigative Service (NCIS) agents providing full-\ntime, on-site presence. Counterintelligence support to program protection planning,\nforeign collection threats and awareness briefs is adequate. Counterintelligence\nanalytical support is provided through reach-back to subject matter experts at NCIS\nheadquarters. However, given the nature of research and development, along with the\nknown threat and exploitation efforts of any number of Foreign Intelligence Services, on-\nsite agents are encouraged to conduct a more aggressive out-reach effort in order to foster\ncloser working relationships with the intelligence, counterintelligence, and law\nenforcement communities.\n\nIt was noted during inspections of other organizations that highly successful security\nprograms are often enhanced by close, cooperative, and effective working relationships\nbetween individuals, and a sound policy. Where a counterintelligence support plan is in\nplace, the NCIS provides substantive counterintelligence support through a dedicated\nNCIS agent presence. For FY 2012, NCIS has adopted a new support concept that\nfocuses on known threats against specific technologies. By concentrating on specific\ncritical technologies facing known intelligence threats, NCIS hopes to optimize its\ninvestment in supporting security and counterintelligence efforts.\n\nOffice of the Air Force Inspector General\nFive of six PMs did not adequately use the counterintelligence threat assessment with\nsystem-specific CPI and vulnerabilities to develop appropriate countermeasures. PMs\nlacked knowledge of system specific CPI and were unfamiliar with their\ncounterintelligence threat assessments. As a result, it was recommended that PMs and\nthe system security working group use integrated threat assessments provided by AFOSI\nto develop appropriate countermeasures and provide documentation for program\nprotection planning and system security working group minutes at all meetings. PMs will\nalso include support contractors in program protection efforts.\n\nMissile Defense Agency\nMDA auditors found that counterintelligence personnel were involved early in the CPI\nassessment phase, participating in the integrated product teams.\n\n6. Foreign Visits Program\nThis issue area was assessed to determine whether published guidance for foreign visits is\nrelevant and adhered to by program, intelligence, counterintelligence, and security\npersonnel.\n\nDoD Office of Inspector General\nAs part of our assessment to determine whether published guidance for foreign visits is\nrelevant to and adhered to by program, intelligence, counterintelligence, and security\npersonnel, we also assessed this issue area because in a policy letter, \xe2\x80\x9cAccountability of\nDepartment of Defense (DoD) Sponsored Foreign Personnel in the United States (U.S.),\xe2\x80\x9d\nMay 18, 2004, the Deputy Secretary of Defense requires all IGs to verify compliance\nwith the sponsored foreign personnel policy through their inspection processes.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       12\n\x0cWe also assessed this issue area to ensure that decisions to grant foreign nationals access\nto classified and controlled unclassified information during their visits to DoD\nComponent and cleared contractor facilities are consistent with the security and foreign\npolicy interests of the United States and DoD Directives 5230.11, 5230.20, and 5530.3. 2\nIf there is to be foreign involvement in any aspect of a program or foreign access to the\nsystem or its related information, the program protection plan should contain provisions\nto deny inadvertent or unauthorized access.\n\nThe Air Force ACAT ID program management office did not have any foreign\ngovernment or international organization involvement in program development. It was\nnoted, however, that some programs that will be part of the system of systems that the\nprogram will support have international aspects.\n\nIf a cooperative development arrangement with a foreign government or international\norganization is contemplated in the future, an international agreement should be\nnegotiated, and the required documents, such as the summary statement of intent and the\ndelegation of disclosure authority letter, will detail the countermeasures necessary to\nprotect U.S. Air Force information and technology under such a program. With regard to\nany potential of a foreign military sale (including coproduction), the ACAT ID program\nmanagement office will defer to the Deputy Under Secretary of the Air Force for\nInternational Affairs and the Assistant Secretary of the Air Force for Acquisition for the\nformulation of the Air Force export policy for the program.\n\nOffice of the Army Inspector General\nThe Office of the Army IG found no significant findings in this issue area.\n\nOffice of the Naval Inspector General\nThe Office of the Naval IG found that a more robust database program would no doubt\nenhance security, but inspections did find evidence that foreign visit request vetting\nagainst known program security restrictions is generally effective.\n\nOffice of the Air Force Inspector General\nThe Office of the Air Force IG found that unit PMs did not complete a technology\nassessment/control plan when foreign participation was authorized. As a result, the unit\ncompleted the technology assessment/control plan and expanded the system security\nworking group process to include all stakeholders. A step-by-step checklist was also\nimplemented, to ensure future compliance with technology assessment/control plan\nrequirements prior to initial acquisition board and acquisition strategy panel.\n\nMissile Defense Agency\nMDA assessed the International Security, Security & Emergency Management, and\nCounterintelligence Directorates to assess the procedures for processing foreign national\nand foreign visitor requests and further, that MDA\xe2\x80\x99s control and oversight for foreign\nnationals and visitors to prohibit unauthorized disclosure of military information\ncomplies with applicable DoD and MDA guidance and instructions.\n\n\n\n2\n DoD Directive 5230.11, \xe2\x80\x9cDisclosure of Classified Military Information to Foreign Governments and\nInternational Organizations,\xe2\x80\x9d June 16, 1992; DoD Directive 5230.20, \xe2\x80\x9cVisits and Assignments of Foreign\nNationals,\xe2\x80\x9d June 22, 2005; and DoD Directive 5530.3, \xe2\x80\x9cInternational Agreements,\xe2\x80\x9d June 11, 1987.\n\n                                 FOR OFFICIAL USE ONLY\n                                           13\n\x0cMDA reviewed whether the in-place procedures and associated controls were adequate to\nprevent the unauthorized disclosure of military information to foreign nationals and\nvisitors. MDA personnel examined the five most recent foreign national and visitor\nrequests. MDA, during their self-assessment found:\n\n   \xe2\x80\xa2   MDA uses the Foreign Visits System - Confirmation Module, to document all\n       visits (walk-in, scheduled, or unscheduled) to MDA facilities. International\n       Security personnel complete Foreign Visitor Data Sheets for each foreign national\n       or foreign visitor seeking access to MDA facilities and all data collected is\n       entered into the Foreign Visits System - Confirmation Module. MDA Security\n       Operations Center PM is responsible for updating the Foreign Visits System -\n       Confirmation Module and filling in all required fields.\n   \xe2\x80\xa2   Foreign nationals and visitors do not have access to information systems at MDA.\n   \xe2\x80\xa2   Foreign nationals and visitors are required to wear yellow badges indicating their\n       foreign visitor status, even if they are accredited and assigned as a foreign liaison\n       officer. They must present picture identification and current passport number for\n       access into MDA facilities. Request for foreign national visits are coordinated by\n       international security personnel and front desk security personnel at facilities to\n       be visited.\n   \xe2\x80\xa2   (FOUO) Incoming foreign national and visitor requests are also coordinated by\n       international security personnel with the Counterintelligence Directorate.\n       Counterintelligence personnel check all available data on visitors and determine\n       the threat level for the visit. The assigned threat level determines the visitor\xe2\x80\x99s\n       access to MDA facilities and personnel. Should counterintelligence personnel\n       identify a potential threat associated with a visit, additional threat mitigation\n       measures are taken before the visit.\n   \xe2\x80\xa2   Counterintelligence personnel routinely provide threat briefings and regular\n       training to MDA employees prior to any foreign national or visitor arrival. In\n       addition, counterintelligence personnel conduct debriefings at the conclusion of\n       each visit.\n\n7. Horizontal Protection of Critical Program Information,\nCritical Functionality, and Critical Components\nThis issue area was assessed to determine whether published guidance for horizontal\nprotection is relevant and adhered to by program, security, intelligence, and\ncounterintelligence personnel. We assessed the issue area to ensure that critical Defense\ntechnologies, to include CPI, associated with more than one RDA program are protected\nto the same degree by all involved DoD activities\n\nDoD Office of the Inspector General\nDoD Instruction 5200.39 states that it is DoD policy to conduct comparative analysis of\ndefense systems technologies and align CPI protection activities horizontally throughout\nDoD.\n\nThe DoD Instruction 5200.39 requirement that a horizontal protection database be used in\nsupport of the identification of CPI was further solidified on July 22, 2010, when the\nUSD(AT&L) issued a memorandum designating the Acquisition Security Database as the\nhorizontal protection database for the Department. The Acquisition Security Database is\nnow under the control, oversight, and management of the Director, Defense Research and\nEngineering, and currently tracks 728 programs.\n\n\n                             FOR OFFICIAL USE ONLY\n                                       14\n\x0cIn the memorandum, the USD(AT&L) states that the Heads of DoD Components use the\nAcquisition Security Database to execute mission requirements for the horizontal\nprotection of DoD Component CPI. The memorandum also states that within 90 days,\nthe Heads of DoD Components shall submit their respective plans for entering current,\nfuture, and legacy RDA programs/projects into the Acquisition Security Database and for\nupdating these records at each milestone.\n\nThe Acquisition Security Database, a horizontal protection database, provides the RDA\ncommunity with greater access to CPI. Use of a single horizontal protection database by\nthe RDA community would represent an important step toward greater protection of\nDoD\xe2\x80\x99s CPI. Once the RDA community is populating a single horizontal protection\ndatabase, RDA protection practitioners will be able to view all programs with similar CPI\nto help ensure consistent RDA protection support and decrease the mishandling or\ninadvertent compromise of CPI, especially with respect to CPI that is inherited from other\nRDA programs.\n\nAir Force Pamphlet 63-1701, requires the System Security Working Group make\nhorizontal protection determinations for identified CPI, but there is no policy or standard\nprocess for review of databases to accomplish this objective. Program officials stated\nthat horizontal protection was considered and the Acquisition Security Database was\nconsulted during the conduct of the System Security Working Group. However, the Air\nForce had developed its own horizontal protection database. Recent guidance provides a\nway ahead for the Air Force to use the Acquisition Security Database exclusively for\nhorizontal protection purposes. This will ensure consistent application of horizontal\nprotection across services and acquisition programs.\n\nOffice of the Army Inspector General\nThe Office of the Army IG found no significant findings in this area.\n\nOffice of the Naval Inspector General\nThe Office of the Naval IG found that there is no clear cohesive horizontal protection\nstrategy of CPI across the Navy at this time; however, the Deputy Assistant to the\nSecretary of the Navy for Research, Development, Test and Evaluation plans to\nimplement the USD (AT&L) memorandum, \xe2\x80\x9cDocument Streamlining \xe2\x80\x93 Program\nProtection Plan,\xe2\x80\x9d July 18, 2011, and Directive-Type Memorandum 09-016 \xe2\x80\x93 \xe2\x80\x9cSupply\nChain Risk Management (SCRM) to Improve the Integrity of Components Used in DoD\nSystems,\xe2\x80\x9d March 25, 2010. Therefore, the Department of the Navy now requires ACAT\nID, IAM and Special Interest programs to follow the July 18, 2011, memorandum.\nACAT IC, ACAT II thru ACAT IV, and Abbreviated Acquisition Programs will tailor\nthe memo to their program. This new approach to program protection plan expands the\nexisting DoD IG guidance criteria and recognizes program protection as the Navy's\nholistic approach for delivering trusted systems. The priority for memo implementation\nwill be ACAT ID programs as the Navy conducts a phased approach to Navy Enterprise\nimplementation of the memo.\n\nOffice of the Air Force Inspector General\nThe Office of the Army IG did not inspect this area of the guidelines.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       15\n\x0cMissile Defense Agency\nMDA reviewed programs with CPI to determine whether they developed a program\nprotection plan and sampled three to determine whether CPI information was recorded\nand tracked into the DoD Acquisition Security Database, for horizontal protection: MDA\nreviewed program protection plans for seven MDA programs to determine whether they\nwere current and appropriately approved. Four of the seven programs had a completed\nand appropriately approved program protection plan. Three of the seven programs did\nnot have a completed and appropriately approved program protection plan. The\ninformation on CPI from the three sampled programs matched the information in the\nAcquisition Security Database. CPI in the program protection plans and the Acquisition\nSecurity Database matched for the three sampled programs because actions of MDA\xe2\x80\x99s\nResearch, Development and Acquisition Security Directorate horizontally protected CPI\nby appropriately recording it in the Acquisition Security Database.\n\n8. Policies to Protect Critical Program Information,\nCritical Functionality, and Critical Components\nThis issue area was assessed to determine whether published guidance for the\nidentification and protection of CPI is relevant and adhered to by program, intelligence,\ncounterintelligence, and security personnel.\n\nDoD Office of the Inspector General\nWe primarily assessed RDA protection efforts using DoD Instruction 5200.39; however,\nthere are many issuances on related areas, and from multiple agencies that address RDA\nprotection.\n\nAir Force policies do not focus on total integration of security, intelligence, and\ncounterintelligence throughout a program\xe2\x80\x99s lifecycle. It was noted that Air Force policies\non program protection, namely Air Force Policy Directive 63-17 and Air Force Pamphlet\n63-1701, reference out-of-date DoD policy and were developed prior to the Air Force\xe2\x80\x99s\nestablishment of its Integrated Lifecycle Management Enterprise policies. Consequently,\nthe primary Air Force policies focused on the protection of CPI are not consistent with\nAir Force Instruction 63-101, and can cause confusion in terms of Air Force policy\ndefinitions relative to CPI.\n\nThe program office has yet to negotiate and agree on specific protections to be\nimplemented for the sites hosting CPI. DoD Instruction 5200.39 guidance on this subject\nhas yet to be promulgated. Enclosure 2, paragraph 4.b. of DoD Instruction 5200.39 tasks\nthe DoD Chief Information Officer to \xe2\x80\x9cidentify minimum security requirements for\ncontractor owned and operated information systems for the protection of CPI.\xe2\x80\x9d\nDirective-Type Memorandum 08-027, \xe2\x80\x9cSecurity of Unclassified DoD Information on\nNon-DoD Information Systems,\xe2\x80\x9d July 31, 2009, addresses security requirements for\ncontractors processing DoD information on non-DoD information systems and may\nprovide a model for this, but it does not address the protection of CPI specifically.\n\nOffice of the Army Inspector General\nThe Office of the Army IG did not inspect this area of the guidelines.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       16\n\x0cOffice of the Naval Inspector General\nThe Office of the Naval IG found that the full implementation of the new USD (AT&L)\npolicies would make great strides towards delivering trusted systems to the warfighting\ncommunity. However, that implementation will require application of new skills and\nsome revision to the Navy\xe2\x80\x99s current \xe2\x80\x9ccommand inspection\xe2\x80\x9d approach to research and\ntechnology protection.\n\nOffice of the Air Force Inspector General\nThe Office of the Air Force IG inspected this area and found no deficiencies in this area.\n\nMissile Defense Agency\nMDA reviewed the CPI/program protection plan guidance to determine if there was\nstandardized and approved MDA guidance that was in accordance with DoD Instruction\n5200.39. MDA has approved guidance on CPI/program protection planning with their\nMDA Instruction, 5200.08-INS, \xe2\x80\x9cCritical Program Information (CPI) Protection Within\nthe Missile Defense Agency,\xe2\x80\x9d August 1, 2011. The Director, MDA approved MDA\nInstruction, 5200.08-INS. The MDA Instruction is in accordance with DoD guidance,\nand like the DoD Instruction, it directs the early identification of CPI and appropriate\nprotection throughout the system life cycle.\n\nThe MDA\xe2\x80\x99s Research, Development and Acquisition Security Directorate developed a\nstandardized and repeatable process providing additional guidance and describing\ndetailed procedures for performing specific protection tasks in a draft CPI Protection\nManual, \xe2\x80\x9cProcedures for CPI Protection Within the Missile Defense Agency.\xe2\x80\x9d The\nDirectorate is instructing programs with CPI to follow the manual as standard operating\nprocedures.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       17\n\x0cAppendix A. Memorandum of Understanding\n\n\n\n\n            FOR OFFICIAL USE ONLY\n                      18\n\x0cFOR OFFICIAL USE ONLY\n          19\n\x0cFOR OFFICIAL USE ONLY\n          20\n\x0cFOR OFFICIAL USE ONLY\n          21\n\x0cAppendix B. List of Service Facilities\nInspected\nA. U.S. Army Research, Development, Test and\nEvaluation Facilities Inspected During FY 2011\n    1. Night Vision and Electronic Sensors Directorate, Fort Belvoir, VA\n    2. Space and Missile Defense Technical Center, Space and Missile Defense\n           Command, Redstone Arsenal, AL\n    3. Aberdeen Test Center, Army Test and Evaluation Center, Aberdeen Proving\n           Grounds, MD\n    4. Engineer Research and Development Center, U.S. Army Corps of Engineers,\n           Vicksburg, MS\n    5. Redstone Technical Test Center, Army Test and Evaluation Command,\n           Redstone Arsenal, AL\n    6. Tank-Automotive Research Development Test and Evaluation Center, Army\n           Materiel Command, Warren, MI\n\nB. Navy Research, Development, Test and Evaluation\nFacilities Inspected During FY 2011\n    1. Surface Combat Systems Center, Wallops Island, VA\n    2. Coastal Systems Station Dahlgren Division, Naval Surface Warfare\n           Center, Panama City, FL\n    3. Carderock Division, Naval Surface Warfare Center,\n           West Bethesda, MD\n    4. Naval Ship Systems Engineering Station, Carderock Division, Naval Surface\n           Warfare Center, Philadelphia, PA\n    5. Naval Surface Warfare Center, Indian Head Division, Indian Head, MD\n    6. Naval Research Laboratory, Washington, DC\n\nC. Air Force Research, Development, Test and\nEvaluation Facilities Inspected During FY 2011\n     1. Air Force Materiel Command, Electronic Systems Center/C2ISR\n           Directorate/Space C2 and Surveillance Division, Peterson\n           Air Force Base, CO\n    2. Air Force Materiel Command, Aeronautical Systems Center Staff and 88th\n           ABW Program Protection Functions, Wright-Patterson\n           Air Force Base, OH\n    3. Air Force Materiel Command, Aeronautical Systems Center Agile Combat\n           Support Directorate, Wright-Patterson Air Force Base, OH\n\n\n                        FOR OFFICIAL USE ONLY\n                                  22\n\x0c4. Air Force Materiel Command, Aeronautical Systems Center Mobility\n       Directorate, Wright-Patterson Air Force Base, OH\n5. Air Force Materiel Command, Aeronautical Systems Center Fighters and\n       Bombers Directorate, Wright-Patterson Air Force Base, OH\n6. Air Force Materiel Command, Aeronautical Systems Center ISR Directorate,\n       Wright-Patterson Air Force Base, OH\n7. Air Force Materiel Command, Oklahoma City Air Logistics Center Staff,\n       Tinker Air Force Base, OK\n8. Air Force Materiel Command, Oklahoma City Air Logistics Center/76th\n        Maintenance Wing, Tinker Air Force Base, OK\n9. Air Force Materiel Command, Oklahoma City Air Logistics Center/Aircraft\n        Sustainment Directorate, Tinker Air Force Base, OK\n10. Air Force Materiel Command, Warner-Robins Air Logistics Center Staff,\n        Warner-Robins Air Force Base, GA\n11. Air Force Materiel Command, Warner-Robins Air Logistics Center/402nd\n        Maintenance Wing, Warner-Robins Air Force Base, GA\n12. Air Force Materiel Command, Warner-Robins Air Logistics Center/Aircraft\n        Sustainment Directorate, Warner-Robins Air Force Base, GA\n13. Air Force Materiel Command, Air Force Office of Scientific Research, Joint\n        Base Andrews/Arlington, VA\n14. Air Force Materiel Command, Headquarters Air Force Research Laboratory,\n        Wright-Patterson Air Force Base, OH\n15. Air Force Materiel Command, Air Force Research Laboratory, Air Vehicles\n        Directorate, Wright-Patterson Air Force Base, OH\n16. Air Force Materiel Command, Air Force Research Laboratory, Materials and\n        Manufacturing Directorate, Wright-Patterson Air Force Base, OH\n17. Air Force Materiel Command, Air Force Research Laboratory, Sensors\n        Directorate, Wright-Patterson Air Force Base, OH\n18. Air Force Materiel Command, Air Force Research Laboratory, Propulsion\n        Directorate, Wright-Patterson Air Force Base, OH\n19. Air Force Materiel Command, Air Force Research Laboratory/Information\n        Directorate, Rome, NY\n20. Air Force Materiel Command, AF Global Logistics Support Center/448th\n        Supply Chain Management Wing, Tinker Air Force Base, OK\n21. Air Force Materiel Command, AF Global Logistic Support Center, 591st\n        Supply Chain Management Group, Wright-Patterson Air Force Base, OH\n22. Air Force Materiel Command, AF Global Logistic Support Center/448th\n        Supply Chain Management Wing/638th Supply Chain Management\n        Group, 404th Supply Chain Management Squadron, 405th Supply Chain\n        Management Squadron, 406th Supply Chain Management Squadron,\n        Robins Air Force Base, GA\n\n\n\n\n                    FOR OFFICIAL USE ONLY\n                              23\n\x0cFOR OFFICIAL USE ONLY\n\x0c"